Parliamentary watchdog: Bank IT concerns not yet addressed

UK banks report 75 cyber-attacks to FCA in one year

Concerns about the security and resilience of bank IT systems have not yet been addressed, a prominent MP has said in a letter to UK regulators.

Andrew Tyrie, chairman of the Treasury Committee in the UK House of Commons, asked Andrew Bailey (4-page / 215KB PDF), chief executive of the Financial Conduct Authority (FCA), and Sam Woods (4-page / 218KB PDF), deputy governor at the Bank of England and head of the Prudential Regulatory Authority (PRA), to explain whether the regulators are suitably equipped to address problems of cybersecurity in the sector.

Tyrie also asked the regulators to confirm whether the senior managers' regime requires banks to "have an explicit senior management function with responsibility for information technology". He said it "probably should".

"Interruptions to the continuity of bank payment services are unacceptably common," Tyrie said in his letters. "It also seems highly plausible that criminals are stealing money from the banks and their customers by electronic means. Not all of these attempts may have been made known to the public. Perhaps some are not known to the banks. Bearing in mind that the banks' main job is to look after their customers' money, and make it available to them, this is not a happy state of affairs. The Committee is not aware of robust evidence that either of these serious weaknesses in our banking system is on the mend."

Tyrie's letters to Bailey and Woods follow on from previous correspondence between The Treasury Committee and the FCA and PRA on the issue of bank IT resilience and security. In January, Tyrie wrote to the regulators and said that banks should be set "clear objectives and targets" on improving the performance of their IT systems following a number of major outages.

Expert in financial services and technology Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said: "There is no quick fix for these issues. It requires heavy investment and large change programmes to move legacy systems onto modern highly resilient infrastructure and software solutions – these programmes will be vying for attention alongside the many regulatory change programmes that are on-going at present, such as ring-fencing."

"We mustn’t forget that IT outages are not a challenge unique to banking, although the impact can be most acute there - we’ve seen real challenges in insurance with the outages at SSP impacting a large number of brokers," he said.

In his recent letters Tyrie asked Bailey and Woods to explain what action has been taken by the FCA and PRA to "ensure that inadequate security measures at banks participating in SWIFT are urgently addressed". The question relates to the cybersecurity weaknesses and risks SWIFT, the global financial network, has flagged in recent months.

Tyrie has also asked the regulators to outline their views on the security of "remote and online banking applications" and "the use of biometric information to verify customer identities".

"As we have previously reported, cyber resilience is already high on the agenda of the FCA," said financial services IT contracts specialist Tim Roughton of Pinsent Masons. "Cybersecurity and IT systems’ resilience is also a board-level issue for banks that are having to deal with unprecedented levels of cyber attacks – at least 75 have been reported to FCA this year – and reputation-damaging outages."

"The oversight and scrutiny from the regulators will only increase when the banks become subject to the NIS Directive which will impose new network and information security requirements on operators of essential services. With this backdrop, it is not clear whether this additional political scrutiny will have any practical effect on the regulators’ attitude or the ultimate security measures being undertaken by banks," he said.

In a statement issued alongside copies of his correspondence with Bailey and Woods, Tyrie said: "Banks continue to suffer failures and breaches of their IT systems, exposing millions of customers to uncertainty, disruption and sometimes distress. We can’t carry on like this. Responsibility for sound IT systems is often lacking at the highest levels of management, and ultimately customers pay the price."

"In January, on behalf of the Treasury Committee, I wrote to the regulators urging them to take action to ensure that banks improve the resilience and security of their systems and enhance IT expertise at board level, with a clear understanding of accountability when things go wrong. The regulators themselves also need a clear division of responsibilities to avoid duplication and gaps in their approach to address these problems," he said.

"Customers remain more exposed than necessary to the risks of IT failures, including delays in paying bills and an inability to obtain access to their own money. The proliferation of remote and online banking, including the use of biometric data for customer identification, may also be increasing the risk of unauthorised access to their accounts. A great deal of work still needs to be done. So I have written today to the FCA and the PRA for further assurances that they are getting on with it," Tyrie said.